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1.  Introduction 


Signature  detection  is  a  very  performance-intensive  task  in  regard  to  network 
traffic.’  Extremely  lightweight  intrusion  detection  (ELIDe)  was  developed  to 
reduce  the  performance  requirements  for  malicious-packet  detection  for  use  in  low 
size,  weight,  and  power  (SWaP)  devices  such  as  mobile  phones.^  These  devices  can 
perform  signature  detection  on  network  traffic  in  tactical  environments  where 
SWaP  bandwidth,  power,  and  battery  life  are  limited. 

For  EEIDe  to  be  useful  on  low-performance,  low-power  devices,  its  power 
utilization  needs  to  be  fully  understood.  In  a  related  report,^  we  have  evaluated  the 
effect  of  EEIDe’s  power  usage  at  varying  throughput  speeds  to  a  mobile  device.  In 
addition,  we  evaluated  how  to  vary  the  packet  size  while  keeping  throughput 
constant.  The  intention  was  to  define  a  spectrum  of  possible  traffic  types  to 
determine  how  they  affect  EEIDe’s  power  utilization  and  performance. 

Controlling  the  characteristics  of  network  traffic  as  it  is  being  sent  to  a  mobile 
device  is  a  very  difficult  task.  In  general,  network  traffic  cannot  be  manipulated 
before  being  received  by  the  device,  unless  a  Berkley  Packet  Filter  is  used  or  the 
amount  of  network  traffic  that  gets  classihed  is  limited.'’  However,  the  way  in  which 
EEIDe  classihes  packets  can  vary. 

EEIDe  reduces  a  network  packet  into  a  set  of  N-grams  using  a  sliding  window.^ 
The  length  of  these  N-grams  can  be  adjusted  to  be  smaller  or  larger.  In  Chang  et 
al.^  the  EEIDe  was  found  to  be  most  accurate  when  a  lO-byte  N-gram  was  used  in 
evaluating  the  test  data.  However,  classihcation  of  other  types  of  malicious  packets 
could  be  more  or  less  accurate  by  increasing  or  decreasing  the  length  of  the  N-gram 
used  by  EEIDe.  The  final  weight  used  by  EEIDe  is  still  determined  by  the  hash 
length. 

As  a  packet  is  divided  into  N-grams,  these  features  are  then  hashed  and  the  hashes 
masked  to  a  user-defined  length.^  The  final  hash  length  determines  length  of  the 
final  feature  vector,  as  well  as  the  length  of  the  weight  file  that  is  created  during  the 
learning  phase.  The  larger  the  hash  length,  the  larger  the  feature  vector — which 
means  more  calculations,  and  ultimately  computational  resources,  required  to 
compute  the  dot  product  between  the  weight  and  feature  vector. 

Both  the  N-gram  and  hash  length  are  set  during  the  learning  phase.^  Depending  on 
the  data  set  that  the  EEIDe  is  attempting  to  learn,  these  values  can  be  varied  in  order 
to  achieve  greater  accuracy.  In  addition,  because  hash  length  can  greatly  affect  the 
performance  required  for  the  classification,  the  hash  length  can  be  set  smaller  to 
decrease  the  amount  of  processing  and  limit  the  amount  of  power  utilized. 
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Depending  on  mission  requirements,  aeeuraey  of  deteetion  ean  be  lowered  in  favor 
of  better  performanee  and  power  utilization  by  adjusting  the  hash  length. 

To  understand  how  varying  these  values  affeets  power  utilization,  we  have  run  a 
number  of  experiments  to  determine  how  N-gram  and  hash  length  impaets  the 
power  utilization  on  a  mobile  deviee. 

2.  Setup 

Similar  to  the  report  on  power  utilization,^  we  utilized  many  of  the  same  deviees 
and  the  same  test  environment  in  order  to  eharaeterize  the  power  utilization  of 
ELIDe.  The  ELIDe  port  to  Android  is  a  newer  version  that  is  modified  to  allow 
ehanging  the  weight  file  used  without  redeploying  the  applieation. 

2.1  Mobile  Device 

We  used  the  same  Sprint-brand  Galaxy  S3  smart  phone.  The  Galaxy  S3  line  of 
smart  phones  varied  in  its  teehnieal  speeifieations  depending  on  the  earrier.  For 
referenee,  the  Sprint-brand  Galaxy  S3  has  the  following  teehnieal  speeifieations: 

•  Qualeomm  Snapdraggon  S4  Plus  MSM8960 

•  Dual  eore  1.5 -GHz  Krait  Proeessor 
.  Adreno  225  graphies  proeessor 

.  2048  MB  of  random-aeeess  memory  (RAM) 

.  32-GB  internal  storage 

•  2, 100-mAh  battery 

2.2  Network 

We  utilize  the  mobile  phone’s  Wi-Fi  adapter  for  network  traffie  assoeiated  with  a 
wireless  aeeess  point.  To  reduee  interferenee,  the  laptop  generating  network  traffie 
utilizes  an  Ethernet  port  loeated  on  the  aeeess  point.  By  limiting  network 
eonneetivity  through  the  Ethernet  port,  wireless  traffie  would  be  loealized  to  the 
Wi-Fi  eommunieation  between  the  mobile  phone  and  the  aeeess  point.  (See  Fig.  1 .) 
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Fig.  1  Test-network  setup 

In  addition,  the  phone  was  placed  in  “auplane  mode”  while  leaving  only  the 
wireless  network  communication  enabled.  This  prevented  the  device  from 
1)  attempting  to  use  any  other  wueless  capabilities  and  2)  influencing  the  power 
readings.  All  notifrcations  were  also  disabled  during  testing  to  prevent  audio  and 
vibration  from  interfering  with  the  power-usage  information. 

The  following  devices  were  used  alongside  the  mobile  phone  for  tliis  network: 

•  Cisco  Wueless  WAP300N 

•  Dell  Latitude  E6500-Core  2  Duo  2.53  GHz,  4  GB  of  RAM 

•  Kali  Linux  1.0.7 

2.3  Software  Configuration 

Similar  to  the  work  performed  in  our  related  repoil,^  we  utilized  a  version  of  the 
ELIDe  software  polled  to  Android  for  use  on  Andr  oid  mobile  devices.  The  software 
records  the  following  statistics;  packets  classified,  the  number  of  packets  that  were 
positively  and  negatively  classifred,  and  the  number  of  packets  dr  opped  after  the 
buffer  frlls.  The  software  also  records  battery  statistics.  Every  time  the  available 
battery  power  dropped  a  percentage,  the  ciinent  runtime  of  the  test  was  also 
recorded. 

2.4  Determining  Power  Utilization 

Similarly,  too,  was  the  need  to  determine  the  amount  of  additional  power  required 
to  nin  ELIDe  continuously.^  By  recording  the  ongoing  irintime  and  battery 
percentage  utilized,  we  can  determine  the  amount  of  extra  power  used  by  ELIDe 
compared  to  when  the  device  does  not  perfonn  ELIDe  classification.  If  the  final 
irmtime  is  significantly  different  between  when  ELIDe  classification  is  used  and 
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when  it  is  not,  we  ean  determine  that  ELIDe  elassifieation  will  use  signifieantly 
more  power  versus  when  the  runtimes  only  vary  a  little. 

To  ealeulate  the  exaet  pereentage  of  additional  battery  power  that  was  used,  the 
following  formula  is  used: 

power  consumption  with  ELIDe  enabled 

%power  = - ; - X  100 

power  consumption  without  ELIDe 

2.5  Experimental  Setup 

Using  the  test-network  setup,  our  laptop  was  eonfigured  to  send  user  datagram 
protoeoD  paekets  to  the  mobile  deviee  using  the  hping3  utility  that  is  installed  by 
default  within  the  Kali  Linux  distribution.  Beeause  we  are  not  varying  our 
throughput  or  paeket  size,  we  sent  paekets  with  600  bytes  of  padding  at  1  megabit 
per  seeond.  The  speed  and  padding  used  in  the  experiment  remained  eonstant 
throughout  eaeh  test. 

As  noted  in  our  related  report,^  the  ELIDe  Android  software  is  eonfigured  to 
eapture  paekets  into  a  buffer,  whieh  will  then  be  used  to  feed  the  elassifier.  In  the 
event  that  paekets  are  not  proeessed  fast  enough  and  the  buffer  fills,  paekets  will  be 
dropped  and  eseape  elassifieation. 

We  independently  tested  variations  in  both  N-gram  length  and  hash  length.  Beeause 
we  were  not  testing  throughput  or  paeket  size,  the  same  eontrol  eould  be  eompared 
against  eaeh  trial  to  determine  the  additional  power  required  to  run  the  elassifier  at 
different  hash  and  N-gram  lengths.  The  eontrol  data  used  the  same  throughput  and 
paeket  padding;  however,  the  elassifieation  was  disabled  so  that  the  runtime  would 
not  be  affeeted  by  inereased  power  utilization  of  ELIDe  elassifieation. 

3.  Results 


In  the  first  part  of  our  experiment,  we  measured  the  amount  of  additional  battery 
power  that  was  eonsumed  when  we  ehanged  the  N-gram  length  during  the  initial 
testing  phase.  While  a  larger  N-gram  teehnieally  results  in  fewer  N-grams  being 
produeed  from  a  single  network  paeket,  in  praetiee  the  number  of  N-grams  that  will 
be  hashed  will  ehange  very  little  between  2  lengths  of  several  bytes’  differenee. 
Due  to  this,  we  did  not  expeet  the  power  utilization  to  signifieantly  deerease  as  the 
N-gram  length  inereased.  However,  we  found  that  using  different  N-gram  lengths 
to  derive  features  from  a  paeket  did  not  eonsistently  affeet  the  amount  of  power 
utilized  by  ELIDe  elassifieation.  (See  Fig.  2.) 
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ELIDe  Power  Utilization  Using  Different  N-gram  Lengths 


Fig.  2  Power  utilization  of  ELIDe  when  varying  N-gram  length 

We  can  analyze  the  graph  and  conclude  that  there  is  no  direct  relationship  between 
power  utilization  and  scaling  the  N-gram  lengths.  However,  even-numbered 
lengths  appear  to  generally  use  less  power  than  their  adjacent  odd-numbered 
lengths,  though  the  reason  for  this  is  unclear.  A  length  of  10  bytes  utilized  the  least 
amount  of  power  in  our  experiments;  however,  this  result  may  be  due  to  random 
sampling  error. 

In  previous  experiments,  we  found  that  power  utilization  will  decrease  despite 
heavier  loads  due  to  dropped  packets.  This  drop  in  power  utilization  would  occur 
because  the  ELIDe  would  be  unable  to  finish  processing  packets  fast  enough  before 
the  buffer  filled,  thereby  dropping  packets.^  However,  we  found  that  packet  loss 
was  nearly  nonexistent,  as  shown  in  Fig.  3. 
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Packet  Loss  vs  Power  Utilization  with  ELIDe 

18 - 1 - 1  I - 1  I - 1  I - 1 - 1 - r 


N-gram  Length  (Bytes) 

Fig.  3  Packet  loss  versus  power  usage  of  ELIDe  wheu  varyiug  N-gram  leugth 

Insignificant  amounts  of  packets  were  dropped  during  ELIDe  classification; 
therefore,  we  conclude  that  varying  the  N-gram  length  does  not  affect  packet  loss, 
and  thus  would  not  skew  power-usage  data. 

3.1  Hash-Bit  Length 

Although  N-gram  length  can  make  a  difference  in  classification  accuracy, 
depending  on  the  size  of  the  features  within  a  network  packet,  the  length  does  not 
heavily  influence  the  amount  of  power  used  by  ELIDe  classification.  However, 
there  is  a  relationship  between  the  amount  of  calculations  and  the  performance 
required  when  varying  the  length  of  the  hash  because  hash  length  influences  the 
feature-vector  size.  Note  that  if  the  hash-length  width  is  increased  by  1  bit,  then  the 
feature-vector  size  will  double.  Feature-vector  size  significantly  impacts  the 
number  of  calculations  that  need  to  be  performed,  which  can  lead  to  additional 
power  utilization.  We  discovered  that  power  utilization  does  not  vary  significantly 
at  smaller  hash  sizes.  (See  Fig.  4.) 
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Fig.  4  Power  utilization  of  ELIDe  when  using  different  hash  lengths 

Although  it  is  not  significantly  different  at  lower  hash  lengths,  power  utilization 
begins  to  consistently  increase  at  a  length  of  1 1  bits.  The  amount  of  performance 
required  to  utilize  ELIDe  is  significantly  higher  than  the  performance  needed  for 
classification  until  at  a  hash  length  of  1 1  bits.  Power  utilization  for  hash  lengths 
below  1 1  bits  will  not  vary  significantly;  however,  lengths  larger  than  1 1  bits 
require  significantly  more  performance  and  power  to  perform  ELIDe  elassifieation. 
We  did  not  experienee  paeket  loss  for  the  load  that  was  put  on  the  mobile  deviee 
for  all  hash  lengths  exeept  at  a  length  of  15  bits  (as  seen  in  Fig.  5). 
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Fig.  5  Packet  loss  incurred  at  different  hash  lengths 

The  insignificant  amount  of  power  loss  indicates  that  the  throughput  and  packet 
size  tested  did  not  begin  to  exceed  the  performance  capabilities  of  the  mobile  device 
using  a  14-bit  hash  length,  and  packet  loss  only  began  to  become  significant  at  15 
bits. 

We  conclude  that  sacrificing  the  accuracy  of  longer  hash  lengths  for  shorter  lengths 
will  not  decrease  power  utilization  significantly  when  the  hash  length  is  less  than 
1 1  bits.  However,  lengths  more  than  1 1  bits  significantly  influence  the  amount  of 
performance  and  thus  battery  utilization.  The  sacrifice  of  accuracy  at  these  lengths 
will  result  in  reduced  power  consumption. 

4.  Conclusions 


The  purpose  of  the  work  was  to  determine  the  effect  of  changing  the  N-gram  and 
hash  lengths  to  verify  any  difference  in  power  utilization.  A  change  in  the  N-gram 
length  produced  an  inconsistent  pattern  in  power  utilization  by  ELIDe.  Depending 
on  the  types  of  features  that  ELIDe  can  be  trained  to  identify,  changing  the  N-gram 
length  may  be  prudent  but  will  not  significantly  affect  power  utilization. 

Changing  the  hash  length  used  by  ELIDe  did  produce  a  meaningful  pattern.  The 
larger  the  length,  the  larger  the  feature  vector  that  ELIDe  must  utilize.  The 
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increased  computational  load  did  lead  to  increased  performance  and  battery 
utilization  when  longer  than  1 1  bits,  but  it  was  not  significantly  different  for  lengths 
less  than  11.  As  the  length  approached  15  bits,  packets  were  dropped,  indicating 
that  the  performance  requirements  were  becoming  higher  than  what  the  mobile 
device  needed  to  keep  up  with  the  incoming  packets.  Thus,  if  the  hash  length  needs 
to  be  adjusted  to  allow  for  better  detection  rates,  power  utilization  would  only  be 
significantly  impacted  if  the  hash  length  starts  to  approach  15  bits  in  length. 
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